Reject negative request_parse_body() max_input_vars option

Author: OracleNep

NEWS

@@ -226,6 +226,8 @@ PHP                                                                        NEWS
     contains null bytes. (Weilin Du)
   . parse_str() now raises a ValueError when the $string argument contains
     null bytes. (Weilin Du)
+  . request_parse_body() now raises a ValueError for negative max_input_vars
+    option values. (OracleNep)
   . proc_open() now raises a ValueError when the $cwd argument contains
     null bytes. (Weilin Du)
   . ini_get_all() now includes the built-in default value in the details.

UPGRADING

@@ -142,6 +142,8 @@ PHP 8.6 UPGRADE NOTES
     contains null bytes.
   . parse_str() now raises a ValueError when the $string argument contains
     null bytes.
+  . request_parse_body() now raises a ValueError when the $options argument
+    contains a negative max_input_vars value.
   . linkinfo() now raises a ValueError when the $path argument is empty.
   . pathinfo() now raises a ValueError when an invalid $flag
     argument value is passed.

ext/standard/http.c

@@ -247,7 +247,7 @@ PHP_FUNCTION(http_build_query)
 }
 /* }}} */
 
-static zend_result cache_request_parse_body_option(HashTable *options, zval *option, int cache_offset)
+static zend_result cache_request_parse_body_option(zval *option, int cache_offset, const char *non_negative_option_name)
 {
 	if (option) {
 		zend_long result;
@@ -265,6 +265,10 @@ static zend_result cache_request_parse_body_option(HashTable *options, zval *opt
 			zend_value_error("Invalid %s value in $options argument", zend_zval_value_name(option));
 			return FAILURE;
 		}
+		if (non_negative_option_name && result < 0) {
+			zend_value_error("\"%s\" option in $options argument must be greater than or equal to 0", non_negative_option_name);
+			return FAILURE;
+		}
 		SG(request_parse_body_context).options_cache[cache_offset].set = true;
 		SG(request_parse_body_context).options_cache[cache_offset].value = result;
 	} else {
@@ -290,7 +294,15 @@ static zend_result cache_request_parse_body_options(HashTable *options)
 
 #define CHECK_OPTION(name) \
 	if (zend_string_equals_literal_ci(key, #name)) { \
-		if (cache_request_parse_body_option(options, value, REQUEST_PARSE_BODY_OPTION_ ## name) == FAILURE) { \
+		if (cache_request_parse_body_option(value, REQUEST_PARSE_BODY_OPTION_ ## name, NULL) == FAILURE) { \
+			return FAILURE; \
+		} \
+		continue; \
+	}
+
+#define CHECK_NON_NEGATIVE_OPTION(name) \
+	if (zend_string_equals_literal_ci(key, #name)) { \
+		if (cache_request_parse_body_option(value, REQUEST_PARSE_BODY_OPTION_ ## name, #name) == FAILURE) { \
 			return FAILURE; \
 		} \
 		continue; \
@@ -300,7 +312,7 @@ static zend_result cache_request_parse_body_options(HashTable *options)
 			case 'm':
 			case 'M':
 				CHECK_OPTION(max_file_uploads);
-				CHECK_OPTION(max_input_vars);
+				CHECK_NON_NEGATIVE_OPTION(max_input_vars);
 				CHECK_OPTION(max_multipart_body_parts);
 				break;
 			case 'p':
@@ -317,7 +329,8 @@ static zend_result cache_request_parse_body_options(HashTable *options)
 		return FAILURE;
 	} ZEND_HASH_FOREACH_END();
 
-#undef CACHE_OPTION
+#undef CHECK_OPTION
+#undef CHECK_NON_NEGATIVE_OPTION
 
 	return SUCCESS;
 }

ext/standard/tests/http/request_parse_body/options_negative_values.phpt

@@ -0,0 +1,53 @@
+--TEST--
+request_parse_body() rejects negative max_input_vars option values
+--FILE--
+<?php
+
+$invalidOptions = [
+    ['max_input_vars', -1],
+    ['max_input_vars', '-1'],
+    ['max_input_vars', '-1M'],
+    ['max_input_vars', '-1.0'],
+];
+
+foreach ($invalidOptions as [$name, $value]) {
+    try {
+        request_parse_body([$name => $value]);
+    } catch (Throwable $e) {
+        echo $name, ': ', get_class($e), ': ', $e->getMessage(), "\n";
+    }
+}
+
+$acceptedOptions = [
+    ['max_input_vars', 0],
+    ['max_file_uploads', -1],
+    ['post_max_size', -1],
+    ['post_max_size', 0],
+    ['upload_max_filesize', '-1M'],
+    ['upload_max_filesize', 0],
+    ['max_multipart_body_parts', -1],
+];
+
+foreach ($acceptedOptions as [$name, $value]) {
+    try {
+        request_parse_body([$name => $value]);
+    } catch (Throwable $e) {
+        echo $name, ': ', get_class($e), ': ', $e->getMessage(), "\n";
+    }
+}
+
+?>
+--EXPECTF--
+max_input_vars: ValueError: "max_input_vars" option in $options argument must be greater than or equal to 0
+max_input_vars: ValueError: "max_input_vars" option in $options argument must be greater than or equal to 0
+max_input_vars: ValueError: "max_input_vars" option in $options argument must be greater than or equal to 0
+
+Warning: Invalid quantity "-1.0": unknown multiplier "0", interpreting as "-1" for backwards compatibility in %s on line %d
+max_input_vars: ValueError: "max_input_vars" option in $options argument must be greater than or equal to 0
+max_input_vars: RequestParseBodyException: Request does not provide a content type
+max_file_uploads: RequestParseBodyException: Request does not provide a content type
+post_max_size: RequestParseBodyException: Request does not provide a content type
+post_max_size: RequestParseBodyException: Request does not provide a content type
+upload_max_filesize: RequestParseBodyException: Request does not provide a content type
+upload_max_filesize: RequestParseBodyException: Request does not provide a content type
+max_multipart_body_parts: RequestParseBodyException: Request does not provide a content type